Syndicate

Blocking Spam

The SPAM-L mailing list will be shut down as of May 11th, 2009.
Please read this post for more information and an explanation.
This FAQ will be kept indefinitely for historical purposes but updates will be rare, if they are made at all.
[Edit: Some folks have set up a successor to the list at http://spammers.dontlike.us/ (SDLU). I have no current involvement with that list, but I encourage folks to check it out!]

If you're on Windows or Macintosh, see if you can find a mail client which will do filtering for you. Better yet, ask your ISP if they can filter your mail for you so that you don't have to download spam only
to have it filtered.

RFC 822 is an
official Internet document which describes all the standard headers.
There are of course many non-standard headers which are inserted by some mail programs. Some of those are merely a strong hint that a message is spam, others only under certain circumstances, and some are only added by bulk e-mail programs.

Here are a few examples that are frequently brought up:

X-PMflags

This is inserted by Pegasus. The only time it
should appear on incoming e-mail is when someone who uses Pegasus is
forwarding e-mail to you.

X-UIDL

There is a feature of the POP3 protocol, (which is used to download
e-mail from your ISP) where you can issue a command called "UIDL" which
will generate unique "identifiers" for each message where results in that
header being written into the message. So, if your POP3 client doesn't
add those in (like mine), you can safely filter on them.
Here's a valid header, for reference:

X-UIDL: b07a13a309dff618f53a09eeb9b966cc

Comments: Authenticated sender ...

This is inserted by Pegasus. If the message doesn't also have

X-Mailer: Pegasus

the information here is bogus and the message was sent using one of the
broken bulk e-mail programs.

Since more and more LANs are running Windows NT on their servers, they
have MTAs that aren't quite as configurable as sendmail, so it may be
more difficult to filter out unwanted spams.

A way around this is to set up a UNIX box to handle e-mail, and create an
MX record pointing to it in the DNS database for that domain so that all
e-mail gets sent to the UNIX box, which can filter out spam with
procmail, sendmail, or whatever, and then pass it on to the LAN.

If you are trying to keep costs down, I would recommend that you check
out Linux, a free version of UNIX that
runs on 386/486/Pentium systems.

Blocking a domain is a serious step, and can generally only be done by
the sysadmin. It involves configuring one's router to ignore any and all
TCP/IP packets from a given network, regardless of type. This means they
can't even browse your website. See IDP. An
automated method for doing this is by joining the Realtime Blackhole
List, which has proven effective in keeping spam down on the sites that have
joined it. More information can be found at
http://mail-abuse.org/rbl.

Your administrator could also configure their MTA (mail transport agent)
to refuse mail from a spammer's site. This is not 100% effective,
because the spammers can route their mail via an innocent third party's
server. More and more sites are disabling the relay feature from their
servers, though, making it harder for the spammers to get through.

Another step some administrators take is to block a site by way of
Procmail, which can filter mail by the IP address of the originating site
(provided this information is present in the message headers).

Usenet Death Penalty.
This is used only in the most extreme of cases where NNTP servers are
configured to refuse any and all postings coming from a certain system.
This happened to Prodigy in September of 1995 due to them refusing to
take action against phone sex spammers. When they started nuking the
accounts, the UDP was lifted.

UDP also stands for User Datagram Protocol, part of the TCP/IP protocol
suite, so the use of this acronym can be a bit confusing; however, it is
usually possible to determine which one is being used from the context.

Internet Death Penalty. Used when a site refuses to do anything about
abuse coming from them. What happens is that other sites will refuse
connections of any sort coming from this site.
The premise behind this is that users on that site will start complaining
to their system administrators and the sysadmins will have to deal with
their spammer problems or lose customers.

Plussed addresses are available for UNIX boxes running newer
versions of sendmail. You can add a plus sign and any string you want
after the username and before the '@' and the mail will still be delivered
properly. For instance, dmuth+this-is-a-test@ot.com will reach me
just fine.

However, before you attempt to use plussed addresses in your e-mail, I
would suggest trying to e-mail yourself with a plussed address to make
sure your ISP supports them.

In terms of catching spammers, I have "dmuth+virus@ot.com" on my
anti-virus homepage and NOWHERE else. I got a spam to that address about
something that had nothing to do with viruses so it _really_ served to
prove that spammers don't check their lists. Also, it proves that they
look for 'mailto:' links.

Furthermore, if you start getting lots of spams to a plussed address
(maybe after posting to Usenet with it), you can easily write a procmail
recipe to dump all mail to that address to /dev/null.